Wired: 6 fresh horrors from the Equifax (former) CEO’s Congressional hearing

Topic

New Reply

Lily Hay Newman at Wired has distilled the essence of  yesterday’s hearing with Richard Smith. It’s mind-boggling. As many of you know, I’m no fan of
[See the full post at: Wired: 6 fresh horrors from the Equifax (former) CEO’s Congressional hearing]

4 users thanked author for this post.

Steve, jburk07, SueW, Elly

Reply | Quote

Replies

Look at the guy on the right side of the picture – the one with the top hat and the white mustache. Was he photoshopped into the picture, or was there actually someone there that looked like that? That person makes the whole thing look comical. (Maybe that was the point.)

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

Reply | Quote

He’s real. I took the screenshot from the live feed of the official broadcast.

Puts it all in perspective, methinks.

1 user thanked author for this post.

HiFlyer

Reply | Quote

That’s “Monopoly Man”… and actually it’s a woman wearing the disguise this time. Details here.

http://www.msn.com/en-us/news/us/monopoly-man-photobombs-senate-hearing-on-equifax/ar-AAsUxcs?li=BBnbcA1

Reply | Quote

So Rich Uncle Pennybags is an aunt? Whoa. The mind boggles.

Reply | Quote

I wouldn’t label him as an “Aunt” Woody… maybe a cross dresser? Not that there’s anything wrong with that mind you!

I will likely never look at our Monopoly game again without a chuckle. I should probably store it someplace else now though, I guess it no longer belongs on that shelf in the closet 🙂

Reply | Quote

I expect a company like Equifax, which traffics in my financial information, to have a paranoid, obsessive-compulsive approach to information security. They should be on top of everything; they should go way overboard to make sure that there are no breaches. And they should hire only certified OCD people to make sure that everything stays secure. That’s the only acceptable approach to take when you are handling the kind of sensitive information that Equifax traffics in.

Equifax stored sensitive consumer information in plaintext rather than encrypt it…“OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all,” Smith replied. “There are varying levels of security techniques that the team deploys in different environments around the business.”

They didn’t use encryption throughout their system!

the IRS awarded Equifax a no-bid, multimillion-dollar fraud-prevention contract last week.

Very nice. Now Equifax has all of our tax information.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

3 users thanked author for this post.

Elly, HiFlyer, AlexEiffel

Reply | Quote

The point is that when Mr Smith went to Washington he was not going to be held accountable either criminally, legally or financially for his actions, even though he says he accepts full responsibility. He ‘retired’ as a result of the breach – he fell on his sword.

No, he was fired and his sword was made of play dough. Fake integrity pitch.

I find it telling that he ousted an unnamed lowly employee for failing to correctly apply the patch that would have avoided the breach. This vast IT department and cyber security team that Equifax had in place at the time should have known that the patch had failed. Logs would have revealed it. IT Management would have been aware of it. They had months to reschedule the fix and they failed to do so – was it delayed for business reasons Mr Smith?

The awarding of the IRS contract to Equifax after this breach is an indication that the government trusts this company to protect its databases from intruders. A total disconnect from reality. People who live in glass houses, should not throw stones – hello lawmakers, this means you.

5 users thanked author for this post.

Steve, SueW, Elly, HiFlyer, AlexEiffel

Reply | Quote

NoLoki wrote:

I find it telling that he ousted an unnamed lowly employee for failing to correctly apply the patch that would have avoided the breach. This vast IT department and cyber security team that Equifax had in place at the time should have known that the patch had failed.

…if they actually cared.

NoLoki wrote:

The awarding of the IRS contract to Equifax after this breach is an indication that the government trusts this company to protect its databases from intruders.

The government moves really slowly on these sorts of processes. (I know – I used to work for the government.) I’m not a bit surprised. I am saddened, however, that they can’t cut the red tape and cancel this contract immediately in light of this extreme emergency.

Reading the details of this case remind me of New Orleans when Hurricane Katrina hit in 2005. The city simply was not prepared, because generally hurricanes miss New Orleans; but that time, Katrina hit New Orleans, and they weren’t prepared. Equifax was not adequately prepared for this, and that’s why it happened. I’m not excusing their lack of preparation, I’m just trying to analyze it.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

Reply | Quote

And now I have to deal with ALL 3 credit reporting agencies to get my info locked down, PLUS, having to TRY to get a small short term loan to purchase a new Furnace / AC that just broke. I can see where this is going to be pretty expensive for us. Fees to get things locked. MORE fees to temporarily UNLOCK for 1 creditor. EXTRA time taken to get it done. AND delays on installation because of it all. If it wasn’t so frustrating, it would ALMOST be comical.

Dave

Reply | Quote

Plus you reward sloppiness by paying them for the privilege of handling the issues that are the consequence of it.

Reply | Quote

From Brian Krebs: “Bear in mind that Equifax’s poor security contributed to an epidemic of tax refund fraud at the IRS in the 2015 and 2016 tax years, when fraudsters took advantage of weak security questions provided to the IRS by Equifax to file and claim phony tax refund requests on behalf of hundreds of thousands of taxpayers.”

This should have disqualified Equifax as a vendor-of-record at the IRS.

Governments may be slow to get their act together, but this is more likely associated with sole sourcing this new contract from the IRS to get around Equifax not being able to meet a mandatory RFP requirements (they suck at security).

Reply | Quote

Equifax and its counterparts have no more real accountability to you and me than the neighborhood gossip does, if real accountability means enforceable without extraordinary effort.  The lenders who pay its fees have no reason to care about the security of the data in the hands of a credit bureau, either–it’s not the lender’s problem.  Not until the credit bureaus are made truly accountable to consumers will things change.  As this episode illustrates, there is an inherent security risk in gathering financially sensitive information about people, which arguably creates a duty of care toward the consumer.

1 user thanked author for this post.

jburk07

Reply | Quote

Woody asks: “I wonder about the other credit reporting agencies.”The New Republic has a good article titled “Break Up the Credit Reporting Racket” that will reinforce the view that credit-reporting companies are all sleazeballs and that it’s time to get rid of them.  The article also has some interesting history.  For example, did you know that Equifax started out as a private detectives/investigators?  And that they would include race, religion and sex lives in computing credit worthiness?

As far as Experian’s history, there was a company called LifeLock whose niche was offering automated credit freezing services for a reasonable price, and Experian killed it.  Here’s what Brian Krebs (krebsonsecurity.com) has to say:

“By 2006, some 17 states offered consumers the ability to freeze their credit files, and the credit bureaus were starting to see the freeze as an existential threat to their businesses (in which they make slightly more than a dollar each time a potential creditor — or ID thief — asks to peek at your credit file).

Other identity monitoring firms — such as LifeLock — were by then offering services that automated the placement of identity fraud controls — such as the “fraud alert,” a free service that consumers can request to block creditors from viewing their credit files… 

Anyway, the era of identity monitoring services automating things like fraud alerts and freezes on behalf of consumers effectively died after a landmark lawsuit filed by big-three bureau Experian (which has its own storied history of data breaches). In 2008, Experian sued LifeLock, arguing its practice of automating fraud alerts violated the Fair Credit Reporting Act.

In 2009, a court found in favor of Experian, and that decision effectively killed such services — mainly because none of the banks wanted to distribute them and sell them as a service anymore.”

EDIT HTML to text – may not appear as intended

Reply | Quote

Turns out the Monopoly guy at the hearing (behind Smith) is a gal.

The protester was Amanda Werner of Americans for Financial Reform and Public Citizen, who also handed out Monopoly-style “Get out of jail free” cards. The Senate leadership has been pushing to rollback a rule issued by the Consumer Financial Protection Bureau in July that would curtail the use of arbitration clauses. The House has already voted to kill the rule.

Reply | Quote